Fortinet white logo
Fortinet white logo

Administration Guide

Configuring FortiSwitch QoS

Configuring FortiSwitch QoS

note icon FortiSwitch uses “queue-7” for network control and critical management traffic. To avoid affecting critical network control and management traffic, do not oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.

This section provides procedures for the following configuration tasks:

Configure an 802.1p map

Using the GUI:
  1. Go to Switch > QoS > 802.1p.
  2. Select Add Map.
  3. Enter the name of your 802.1p map.
  4. Enter a description of your 802.1p map.
  5. Select the queue number for each priority.
  6. Select Add Map.

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Using the CLI:

You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values.

If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is disabled by default.

NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|....priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

For example:

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:

config switch interface

edit port1

set default-cos <0-7>

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure a DSCP map

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.

Using the GUI:
  1. Go to Switch > QoS > IP/DSCP.
  2. Select Add Map.
  3. Enter the name of your DCSP map.
  4. Enter a description of your DCSP map.
  5. Select which queue to configure.
  6. Select the differentiated services to use.
  7. Select the IP precedence to use.
  8. Enter the raw values to use.
  9. Select Add Map.
Using the CLI:

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name1>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

end

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Configure the QoS egress policy

In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and configure one or more CoS queues.

The QoS egress policy includes the following settings:

  • min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
  • max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
  • drop policy: tail drop, RED, or WRED
  • weight value (applicable if the policy schedule is weighted)
Using the GUI:
  1. Go to Switch > QoS > Egress Policy.
  2. Select Add Policy.
  3. Enter the name of your QoS egress policy.
  4. Select the scheduling mode to use.
  5. For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum rate in kbps, weight value, and WRED slope. If you select Weighted Random Early Detection Drop Policy, you can use ECN marking by selecting the ECN checkbox.
  6. Select Add.
Using the CLI:

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Configure the egress drop mode

NOTE: To see which models support this feature, refer to the FortiSwitch feature matrix.

When there are too many packets going through the same egress port, you can choose whether packets are dropped on ingress or egress.

Use the following commands to set the drop mode:

config switch physical-port

edit <port>

set egress-drop-mode <disabled | enabled>

end

Variable Description
disabled Drop packets on ingress.
enabled Drop packets on egress.

NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface and disable egress-drop-mode on the egress interface.

Configure the switch ports

You can configure the following QoS settings on a switch port or a trunk:

  • trust dot1p values on ingress traffic and the dot1p map to use
  • trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp values but not both.)
  • an egress policy for the interface
  • a default CoS value (for packets with no CoS value)

If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.

If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-robin).

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the switch port to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

config switch interface

edit <port>

set trust-dot1p-map <map-name>

set trust-ip-dscp-map <map-name>

set qos-policy < policy-name >

set default-cos <default cos value 0-7>

next

end

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on trunks

Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP map and an egress policy).

When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to the default QoS configuration when it is removed from the trunk interface.

Using the GUI:
  1. Go to Switch > Interface > Trunk.
  2. Select the trunk to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on VLANs

You can configure a CoS queue value for a VLAN by creating an ACL policy:

config switch acl ingress

edit 1

config action

set cos-queue 7

set count enable

end

config classifier

set vlan-id 200

end

set ingress-interface "port25"

set status active

end

Configure CoS and DSCP markings

You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also configure the action to set the CoS marking value, DSCP marking value, or both.

config switch acl ingress

edit <policy-id>

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set remark-cos <0-7>

set remark-dscp <0-63>

end

For example:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:44:55:66

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end

Configuring FortiSwitch QoS

Configuring FortiSwitch QoS

note icon FortiSwitch uses “queue-7” for network control and critical management traffic. To avoid affecting critical network control and management traffic, do not oversubscribe queue-7 or avoid using queue-7 for data traffic when configuring QoS.

This section provides procedures for the following configuration tasks:

Configure an 802.1p map

Using the GUI:
  1. Go to Switch > QoS > 802.1p.
  2. Select Add Map.
  3. Enter the name of your 802.1p map.
  4. Enter a description of your 802.1p map.
  5. Select the queue number for each priority.
  6. Select Add Map.

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Using the CLI:

You can configure an 802.1p map, which defines a mapping between IEEE 802.1p CoS values (from incoming packets on a trusted interface) and the egress queue values.

If you want to enable priority tagging on outgoing frames, enable the egress-pri-tagging option. This option is disabled by default.

NOTE: “Priority tagging” refers to adding a VLAN tag to untagged traffic with with VLAN 0 and a valid priority value. If the port is configured to transmit packets with a valid VLAN, priority tagging is not applicable.

config switch qos dot1p-map

edit <dot1p map name>

set description <text>

set [priority-0|priority-1|priority-2|....priority-7] <queue number>

set egress-pri-tagging {disable | enable}

next

end

For example:

config switch qos dot1p-map

edit "test1"

set priority-0 queue-2

set priority-1 queue-0

set priority-2 queue-1

set priority-3 queue-3

set priority-4 queue-4

set priority-5 queue-5

set priority-6 queue-6

set priority-7 queue-7

set egress-pri-tagging enable

next

end

Values that are not explicitly included in the map will follow the default mapping, which maps each priority (0-7) to queue 0. If an incoming packet contains no CoS value, the switch assigns a CoS value of zero.

Use the set default-cos command to set a different default CoS value, ranging from 0 to 7:

config switch interface

edit port1

set default-cos <0-7>

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure a DSCP map

A DSCP map defines a mapping between IP precedence or DSCP values and the egress queue values.

Using the GUI:
  1. Go to Switch > QoS > IP/DSCP.
  2. Select Add Map.
  3. Enter the name of your DCSP map.
  4. Enter a description of your DCSP map.
  5. Select which queue to configure.
  6. Select the differentiated services to use.
  7. Select the IP precedence to use.
  8. Enter the raw values to use.
  9. Select Add Map.
Using the CLI:

config switch qos ip-dscp-map

edit <ip-dscp map name>

set description <text>

config map

edit <entry-name1>

set diffserv [ [ AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43 | CS0 | CS1 | CS2 | CS3 | CS4 | CS5 | CS6 | CS7 | EF ]

set ip-precedence [ Network Control | Internetwork Control | Critic/ECP | Flash Override | Flash, Immediate | Priority | Routine ]

set value <dscp raw value>

set cos-queue <queue number>

next

end

end

The following example defines a mapping for two of the DSCP values:

config switch qos ip-dscp-map

edit "m1"

config map

edit "e1"

set cos-queue 0

set ip-precedence Immediate

next

edit "e2"

set cos-queue 3

set value 13

next

end

next

end

Configure the QoS egress policy

In a QoS egress policy, you set the scheduling mode (Strict, Round Robin, or Weighted Round Robin) for the policy, and configure one or more CoS queues.

The QoS egress policy includes the following settings:

  • min-rate (minimum rate in kbps) or min-rate-percent (minimum percentage)
  • max-rate (maximum rate in kbps) or max-rate-percent (maximum percentage)
  • drop policy: tail drop, RED, or WRED
  • weight value (applicable if the policy schedule is weighted)
Using the GUI:
  1. Go to Switch > QoS > Egress Policy.
  2. Select Add Policy.
  3. Enter the name of your QoS egress policy.
  4. Select the scheduling mode to use.
  5. For each queue, enter a description, select the drop policy to use, and enter the minimum rate in kbps, maximum rate in kbps, weight value, and WRED slope. If you select Weighted Random Early Detection Drop Policy, you can use ECN marking by selecting the ECN checkbox.
  6. Select Add.
Using the CLI:

config switch qos qos-policy

edit <policy_name>

set rate-by {kbps | percent}

set schedule {strict | round-robin | weighted}

config cos-queue

edit [queue-0 ... queue-7]

set description <text>

set drop-policy {taildrop | weighted-random-early-detection}

set ecn {enable | disable}

set max-rate <rate kbps>

set min-rate <rate kbps>

set max-rate-percent <percentage>

set min-rate-percent <percentage>

set weight <value>

set wred-slope <value>

next

end

next

end

Configure the egress drop mode

NOTE: To see which models support this feature, refer to the FortiSwitch feature matrix.

When there are too many packets going through the same egress port, you can choose whether packets are dropped on ingress or egress.

Use the following commands to set the drop mode:

config switch physical-port

edit <port>

set egress-drop-mode <disabled | enabled>

end

Variable Description
disabled Drop packets on ingress.
enabled Drop packets on egress.

NOTE: Because too many packets are going through the same egress port, you might want to use the pause frame for flow control on the ingress side. To see the pause frame on ingress, enable the flow control “tx” on the ingress interface and disable egress-drop-mode on the egress interface.

Configure the switch ports

You can configure the following QoS settings on a switch port or a trunk:

  • trust dot1p values on ingress traffic and the dot1p map to use
  • trust ip-dscp values on ingress traffic and the ip-dscp map to use. (NOTE: Trust the dot1p values or the ip-dscp values but not both.)
  • an egress policy for the interface
  • a default CoS value (for packets with no CoS value)

If neither of the trust policies is configured on a port, the ingress traffic is mapped to queue 0 on the egress port.

If no egress policy is configured on a port, the FortiSwitch unit applies the default scheduling mode (that is, round-robin).

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select the switch port to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

config switch interface

edit <port>

set trust-dot1p-map <map-name>

set trust-ip-dscp-map <map-name>

set qos-policy < policy-name >

set default-cos <default cos value 0-7>

next

end

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on trunks

Configuring QoS on trunk interface follows the same configuration steps as for a switch port (configure a Dot1p/DSCP map and an egress policy).

When you add a port to a trunk, the port inherits the QoS configuration of the trunk interface. A port member reverts to the default QoS configuration when it is removed from the trunk interface.

Using the GUI:
  1. Go to Switch > Interface > Trunk.
  2. Select the trunk to update and then select Edit.
  3. Select the QoS egress policy in the QoS Policy drop-down list.
  4. Select the 802.1p map in the Trust 802.1p drop-down list.
  5. Select the DSCP map in the Trust IP-DSCP drop-down list.
  6. Select OK.
Using the CLI:

The following example shows QoS configuration on a trunk interface:

config switch interface

edit "tr1"

set snmp-index 56

set trust-dot1p-map "dot1p_map1"

set default-cos 1

set qos-policy "p1"

next

end

When you configure an egress QoS policy with rate control on a trunk interface, that rate control value is applied to each port in the trunk interface. The FortiSwitch unit does not support an aggregate value for the whole trunk interface.

NOTE: The set default-cos command is not available on the following FortiSwitch models: 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448D-POE, 448D-FPOE, 224E, 224E-POE, 248E-POE, and 248E-FPOE.

Configure QoS on VLANs

You can configure a CoS queue value for a VLAN by creating an ACL policy:

config switch acl ingress

edit 1

config action

set cos-queue 7

set count enable

end

config classifier

set vlan-id 200

end

set ingress-interface "port25"

set status active

end

Configure CoS and DSCP markings

You can classify a packet by matching the CoS value, DSCP value, or both CoS and DSCP values. You can also configure the action to set the CoS marking value, DSCP marking value, or both.

config switch acl ingress

edit <policy-id>

config classifier

set cos <802.1Q CoS value to match>

set dscp <DSCP value to match>

end

config action

set remark-cos <0-7>

set remark-dscp <0-63>

end

For example:

config switch acl ingress

edit 1

config classifier

set src-mac 11:22:33:44:55:66

set cos 2

set dscp 10

end

config action

set count enable

set remark-cos 4

set remark-dscp 20

end

set ingress-interface port2

set status active

end